MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
SHA3-384 hash: 272080fea34af8cdd9666ab4cd203ba0c019cf284829ceaadb876d4a32927ee197337828fe4c39e90add3602ed24f596
SHA1 hash: e4880db7e86406f1c0c811979fe530cb13b3e415
MD5 hash: 15295523233fe92ea748934480b75553
humanhash: california-cat-alanine-low
File name:SSA.REPORT-4126437.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'490'600 bytes
First seen:2024-03-24 03:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (243 x ConnectWise)
ssdeep 98304:JBs6efP9AVjPL0K+IdYdnkGzCgJU18bM:LfefPMPIzCgK16
Threatray 36 similar samples on MalwareBazaar
TLSH T18E46F001F3D695B5D5BF1678D87A9265AA30BC048712C7BF5390B96D2D32BC08E327B2
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter bcinfosec
Tags:ConnectWise exe screenconnect signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
bcinfosec
This screenconnect was the initial entrance vector. Attackers were observed deploying ASync Rat and AnyDesk after a few days.

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb.exe
Verdict:
Malicious activity
Analysis date:
2024-03-24 04:00:31 UTC
Tags:
screenconnect remote
Link:
https://app.any.run/tasks/48426c46-3021-4c54-adc7-f4358ea9b9ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd lolbin msiexec net obfuscated overlay packed rundll32
Link:
https://www.filescan.io/uploads/65ffa5087e414bfaaebf3e97/reports/4af3e743-498e-4af7-9af6-4b142e53cf29/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ba9bc8e0-04e6-4ae6-8e56-943d37cfc211
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/1414624
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414624 Sample: SSA.REPORT-4126437.exe Startdate: 24/03/2024 Architecture: WINDOWS Score: 57 53 server-nixb2b08525-relay.screenconnect.com 2->53 55 instance-ogpw46-relay.screenconnect.com 2->55 63 Multi AV Scanner detection for submitted file 2->63 65 .NET source code contains potential unpacker 2->65 67 .NET source code references suspicious native API functions 2->67 69 2 other signatures 2->69 8 msiexec.exe 93 48 2->8         started        12 ScreenConnect.ClientService.exe 17 23 2->12         started        15 SSA.REPORT-4126437.exe 5 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 35 C:\...\ScreenConnect.ClientService.exe, PE32 8->35 dropped 37 C:\Windows\Installer\MSI7C17.tmp, PE32 8->37 dropped 39 C:\Windows\Installer\MSI79A5.tmp, PE32 8->39 dropped 41 8 other files (none is malicious) 8->41 dropped 71 Enables network access during safeboot for specific services 8->71 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        57 server-nixb2b08525-relay.screenconnect.com 145.40.113.100, 443, 49730, 49733 BREEDBANDDELFTNL Netherlands 12->57 73 Reads the Security eventlog 12->73 75 Reads the System eventlog 12->75 25 ScreenConnect.WindowsClient.exe 2 12->25         started        77 Contains functionality to hide user accounts 15->77 28 msiexec.exe 6 15->28         started        59 127.0.0.1 unknown unknown 17->59 file6 signatures7 process8 file9 31 rundll32.exe 8 19->31         started        79 Contains functionality to hide user accounts 25->79 43 C:\Users\user\AppData\Local\...\MSI736A.tmp, PE32 28->43 dropped signatures10 process11 file12 45 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->45 dropped 47 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->47 dropped 49 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->49 dropped 51 Microsoft.Deployme...indowsInstaller.dll, PE32 31->51 dropped 61 Contains functionality to hide user accounts 31->61 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=miqgy3otp44mtmbwefywildn2dxq54zk73bi5ccqi5ksxqcwpl5q._file
Verdict:
malicious
Similar samples:
2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34
ConnectWise
4ab0c33d9ccfd706cc72899ddf173304e4752282ff694e768cf313ad3c39e10b
ConnectWise
74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489
ConnectWise
ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6
ConnectWise
f9614e9eaab14e34fbda545a83841868278c31638167707029de3ec8240a8991
ConnectWise
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240324-ej3emscb31/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Checks computer location settings
Drops file in System32 directory
Enumerates connected drives
Sets service image path in registry
Unpacked files
SH256 hash:
5efedab29966177c03447d5e5911882cf7f1001a5ed2e1d21712b18ebafd697c
MD5 hash:
456488ccf9c68b5ea1a35696434e0a26
SHA1 hash:
d9ea79874df19f10349cb1ac3b599477949a6a2c
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
96e2a8a8b8d2825ebcb8efe62cfa7816519e5a759aef0775b421e618830cc9c1
MD5 hash:
d377559d06cfb5c1356ea849de09ad29
SHA1 hash:
8e0c316ebae495b85d8ac05152677fa68ae51efd
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
4aaad185905e5336fd59ab743e0332f18481826d4b6a0dc8286ae178a7a07872
MD5 hash:
9ff7fcb6f41c690ef374ff882296704d
SHA1 hash:
69237ae1cfaae3733e28e23063d33b3c27eda5eb
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
Parent samples :
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
6f774574adf66b3273841ed8b532c3f8ecefc43f6535e30373cb087e582fb298
SH256 hash:
f385ba317ff139611256a34c97780dd29ba5352b59ea76020f6d30bf103fa633
MD5 hash:
c67db7a9e46fe8216a48b8c8138e42f7
SHA1 hash:
50b000f9066b6e587451c5a69598158b7e972e9d
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
Parent samples :
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
6f774574adf66b3273841ed8b532c3f8ecefc43f6535e30373cb087e582fb298
SH256 hash:
8669dc47adf5630d7d05252ce07b4c42aad1368426938fa244b6fbb39280459b
MD5 hash:
79807052fbebc08cf3fccdf4621e3cd9
SHA1 hash:
172d24eed2aa44f80006762ef1a5652e455205a9
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
Parent samples :
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
6f774574adf66b3273841ed8b532c3f8ecefc43f6535e30373cb087e582fb298
SH256 hash:
e4b29e87ae288199964726c10ea221827cfde794c2aee17f71f4561cd09bf472
MD5 hash:
95e483ac0872859afbf474ea322006d4
SHA1 hash:
d44024116695f61f35d219af176ca1dff371b222
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
e0946df5fdf760dba7ac02a8e0cd8095984ce4f3eaf9862ac034b4b09d35d8bb
MD5 hash:
d67e6a56329ac1fdf3789595067ad943
SHA1 hash:
c8395fcc4288d5841142a7980635fe5887837d35
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
Parent samples :
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
6f774574adf66b3273841ed8b532c3f8ecefc43f6535e30373cb087e582fb298
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
SH256 hash:
62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb
MD5 hash:
15295523233fe92ea748934480b75553
SHA1 hash:
e4880db7e86406f1c0c811979fe530cb13b3e415
Detections:
INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b93c6bca-9de0-4fa7-abe1-8d1bd5aca28e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62206c6dd37f38c9b0362171642c6dd0ef0ef32afec28e885047552bc0567afb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments